SYSTEM AND METHOD FOR STORAGE OPERATION ACCESS SECURITY
First Claim
Patent Images
1. A method of securing storage operations in a data management system, comprising:
- receiving a request to perform a storage operation that makes data at a source location available at a destination location;
querying access control information, wherein the access control information is associated in a first manner with the source location; and
applying the access control information to the destination location in a second manner different than the first manner in which the access control information was associated with the source location to at least in part permit, prohibit, or modify the requested storage operation.
4 Assignments
0 Petitions
Accused Products
Abstract
A method and system for controlling access to stored data is provided. The storage access control system leverages a preexisting security infrastructure of a system to inform the proper access control that should be applied to data stored outside of its original location, such as a data backup. The storage access control system may place similar access control restrictions on the backup files that existed on the original files. In this way, the backed up data is given similar protection as that of the original data.
189 Citations
60 Claims
-
1. A method of securing storage operations in a data management system, comprising:
-
receiving a request to perform a storage operation that makes data at a source location available at a destination location; querying access control information, wherein the access control information is associated in a first manner with the source location; and applying the access control information to the destination location in a second manner different than the first manner in which the access control information was associated with the source location to at least in part permit, prohibit, or modify the requested storage operation. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A system for securing storage operations, comprising:
-
a network security component that provides access control for data stored by one or more computers in a network a storage operation component associated with performing storage operations on the data that creates secondary copies of the data; and an access control migration component that captures access control information maintained by the network security component and applies the access control information to the secondary copies of the data created by the storage operation component. - View Dependent Claims (11, 12, 13, 14, 15, 16)
-
-
17. One or more computer memories collectively containing a data structure for associating access control information with backup data, comprising:
-
a security descriptor having one or more access control lists, wherein each access control list contains one or more access control entries; and a backup data reference that specifies the backup data for which the security descriptor specifies access control information. - View Dependent Claims (18, 19, 20)
-
-
21. A method of creating users who have access to perform data management operations in a data management system, the method comprising:
-
identifying at least one preexisting user created in a security system external to the data management system, wherein the user has certain access rights defined by the security system; creating a group within the data management system that associates one or more users with at least one access right for performing data management operations; adding the identified at least one preexisting user to the created group within the data management system; and querying the security system to determine the certain access rights defined by the security system assigned to the identified at least one preexisting user. - View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
-
-
31. A computer-readable medium containing instructions for controlling a computer system to migrate users from a preexisting security system to a data management system, by a method comprising:
-
receiving a request to create a new security entity in a storage management application of the data management system, wherein the new security entity associates at least one access right for performing a storage management operation with the security entity; providing a list of one or more preexisting security entities defined by a security infrastructure external to the data management system; receiving a selection of at least one preexisting security entity defined by the external security infrastructure; and migrating the at least one selected preexisting security entity defined by the external security infrastructure to the new security entity in the storage management application. - View Dependent Claims (32, 33, 34, 35, 36)
-
-
37. A system for securing storage operations in a storage management system, wherein the storage management system interfaces with an external security component configured to store one or more external users and one or more access rights associated with the external users, the system comprising:
-
a storage management application configured to store one or more storage management users and to perform storage operations on behalf of the one or more storage management users; an access control migration component configured to interface with the external security component and with the storage management application, wherein the access control migration component is further configured to capture the one or more access rights associated with selected external users stored by the external security component, create storage management users based on the external users, and apply at least one of the one or more access rights associated with the external users to the created storage management users. - View Dependent Claims (38, 39, 40)
-
-
41. A method of searching for data objects in a data management system, the method comprising:
-
receiving one or more criteria describing at least one data object to be located within the data management system; identifying one or more data objects stored within the data management system that satisfy the received one or more criteria; applying one or more access rights associated with the identified one or more data objects stored within the data management system to filter the identified one or more data objects; and providing a filtered list of results that contains the identified one or more data objects, wherein the list is filtered based on the applied one or more access rights. - View Dependent Claims (42, 43, 44, 45, 46, 47, 48, 49, 50, 51)
-
-
52. A computer-readable medium containing instructions for controlling a computer system to restrict access to data objects stored within a storage management system, by a method comprising:
-
receiving a request identifying a particular copy of a data object for which access rights are to be determined, wherein the data object has multiple copies; identifying the entity requesting access to the particular copy of the data object; querying access control information for the particular copy of the data object from the storage management system, wherein the storage management system associates access control information with each data object when a first instance of the data object is encountered and associates the access control information with each subsequent copy of the data object that is created; and
,indicating whether the identified entity requesting access to the data object is granted access to the data object based on the access control information associated with the data object by the storage management system, wherein the indication is the same regardless of which of the multiple copies of the data object the request identifies. - View Dependent Claims (53, 54, 55, 56, 57)
-
-
58. A system for filtering data objects provided in response to a search in a data management system based on access rights associated with the data objects, the system comprising:
-
a network security component that provides access control information for data objects stored by one or more computers within the data management system, wherein the access control information is based on access control information associated with source data used to create each data object; an entity identification component that identifies an entity requesting access to a data object stored within the data management system; a storage search component that receives criteria and performs searches for data objects within the data management system that satisfy at least one or the criteria; and a data object access component that determines whether the entity identified by the entity identification component has access to the data objects discovered by the storage search component based on the access control information. - View Dependent Claims (59, 60)
-
Specification